Data Breach Resolutionhttp://www.experian.com/blogs/data-breach Tools to help you navigate privacy, compliance, and security issues that may result in a data breach.Fri, 31 Jul 2015 22:53:57 +0000en-UShourly1http://wordpress.org/?v=4.1After a Data Breach: Keeping Customers Informedhttp://www.experian.com/blogs/data-breach/2015/07/29/after-a-data-breach-keeping-customers-informed/ http://www.experian.com/blogs/data-breach/2015/07/29/after-a-data-breach-keeping-customers-informed/#commentsWed, 29 Jul 2015 10:46:50 +0000http://www.experian.com/blogs/data-breach/?p=2843A data breach can increase a consumer’s risk of falling victim to identity theft. In order to mitigate this risk, federal and state governments have instituted regulations regarding the notification of affected consumers. But many consumers – inundated by news of mega breaches – may experience data breach fatigue, and do little or nothing at […]

]]>A data breach can increase a consumer’s risk of falling victim to identity theft. In order to mitigate this risk, federal and state governments have instituted regulations regarding the notification of affected consumers. But many consumers – inundated by news of mega breaches – may experience data breach fatigue, and do little or nothing at all when they receive that all-important notification letter.

In fact, we know from a 2014 Ponemon Institute study that more than a third of consumers who reported receiving breach notification letters also said they ignored the letters, taking no steps at all to prevent fraud. Ironically, however, they also expressed dissatisfaction with communications from the breached company, including the notification letters. Where are companies going wrong?

Too many organizations approach data breach notification as a regulatory compliance move (which it is) that they have to make, rather than regarding it as something that can also help their company recover more quickly from the reputational damages associated with a data breach.

Keeping customers informed after a data breach should be about more than meeting the letter of the law. Your communications should also focus on rebuilding consumer confidence in your brand. The consumers caught up in a data breach aren’t just one more technical detail you have to manage in order to achieve compliance; they are people who used to trust your company with their business. If you want them to continue trusting you, it’s imperative you give them a compelling reason to do so.

What constitutes good post-breach communication? It’s more than just sending out a notification letter when the law requires you to do so.

Writing in Forbes, reputation strategist Davia Temin suggests that companies should be the ones to break the news to their customers about a cyber incident. Fail to notify affected consumers right away, and the media will do it for you, she points out. We would build on that advice and remind you that being the bearer of breach news means that perfecting your initial data breach notification letter is essential – and it’s an opportunity to set the most positive, communicative tone possible going forward.

Your breach notification should be as detailed and accurate as possible, telling consumers what happened, how it could (and does) affect them, what you’re doing to repair the problem and how you plan to ensure it doesn’t recur. In the initial data breach notification letter, consider offering consumers identity protection services, such as credit monitoring and ongoing fraud resolution support.

To be most effective, your communications must not end with the notification letter. At some point in your data breach investigation, new information may emerge that’s relevant to affected consumers. Even if regulations don’t require you to do so, sending a follow-up letter with this new information may further reassure consumers that you’re still thinking of them – and working to protect them from any potential negative impact of the breach. It’s also essential that your call center can handle more detailed consumer concerns, and that your website can answer FAQs regarding the breach.

Maintaining regulatory compliance can help you avoid fines, but going the extra mile to embrace your breach population may help you avoid an even costlier consequence of a data breach – the loss of consumers’ trust and their business.

]]>http://www.experian.com/blogs/data-breach/2015/07/29/after-a-data-breach-keeping-customers-informed/feed/0Are Your Employees Data Breach Risks?http://www.experian.com/blogs/data-breach/2015/07/14/are-your-employees-data-breach-risks/ http://www.experian.com/blogs/data-breach/2015/07/14/are-your-employees-data-breach-risks/#commentsTue, 14 Jul 2015 18:13:11 +0000http://www.experian.com/blogs/data-breach/?p=2839Your employees are your greatest asset, but they may also pose the greatest data breach risk to your organization. Unfortunately, multiple studies and research point to employees as the leading cause of data breaches. Employees may put your data at risk in a number of ways; from failing to practice good password habits to losing a […]

Your employees are your greatest asset, but they may also pose the greatest data breach risk to your organization. Unfortunately, multiple studies and research point to employees as the leading cause of data breaches.

Employees may put your data at risk in a number of ways; from failing to practice good password habits to losing a device that contains proprietary data. Whether their actions are accidental, intentional or simply negligent, the results of a data breach caused by employees can be devastating.

If you believe your organization could never experience a breach as a result of employee actions or negligence, consider these facts:

Human error was the source of 30 percent of all data breaches in 2014, according to the Ponemon Institute’s 2014 Cost of a Data Breach report. Malicious attacks – some of which may have been perpetrated by current or former employees – accounted for 42 percent.

Nearly three quarters (71 percent) of employees surveyed by Ponemon for the study “Corporate Data: A Protected Asset or a Ticking Time Bomb?” said they had too much access to confidential company data, 54 percent said their access is frequent and less than half (47 percent) said they believed their companies appropriately acted to protect company data accessed by its employees.

74 percent of IT professionals say that when there’s a company data breach, insiders are to blame, according to the Ticking Time Bomb report.

With training, however, you can help your employees reduce data breach risks as a result of their actions or inaction. Training and awareness programs need to be a vital, vibrant and evolving ingredient of your overall data breach preparedness plan. Employees should be clear on their responsibilities to help ensure your organization’s cybersecurity. Clearly defined and consistently communicated policies should be in place for all aspects of your company’s data management.

Be aware of common sources of leaks, such as contaminated email, hacked passwords or lost or stolen devices, and craft policies that address each specific risk by delineating preventive steps every employee should take. Restrict access to sensitive data to only those employees who truly require it in order to do their jobs, and employ multiple layers of verification to ensure the only people accessing the data are those authorized to do so. Finally, implement and enforce protocols to ensure that cloud services and mobile devices are as secure as possible.

Proper training and the guidance of clearly defined security polices can help ensure that your employees remain your organization’s most valuable assets – and minimize the risk that they will be the source of a data breach.

]]>http://www.experian.com/blogs/data-breach/2015/07/14/are-your-employees-data-breach-risks/feed/0Cyber Criminals, Spies and Activists – Know the Enemyhttp://www.experian.com/blogs/data-breach/2015/06/30/cyber-criminals-spies-and-activists-know-the-enemy/ http://www.experian.com/blogs/data-breach/2015/06/30/cyber-criminals-spies-and-activists-know-the-enemy/#commentsTue, 30 Jun 2015 20:23:26 +0000http://www.experian.com/blogs/data-breach/?p=2835Who are behind cybercrimes? When it comes to these thieves behind computers, not all perpetrators are the same, and how they ply their attacks can vary greatly, too. To effectively protect your organization from cybercrime, it’s vital to understand the many ways in which it occurs, and the many types of cyber criminals who perpetrate […]

Who are behind cybercrimes? When it comes to these thieves behind computers, not all perpetrators are the same, and how they ply their attacks can vary greatly, too. To effectively protect your organization from cybercrime, it’s vital to understand the many ways in which it occurs, and the many types of cyber criminals who perpetrate it.

In 2014, the total cost of cybercrime in the United States was approximately $12.69 billion, according to the Ponemon Institute. What’s more, the costs and frequency of cybercrime continue to rise. Although the methods that cyber crooks employ are almost as numerous as the criminals themselves, some types of attacks and attackers are most common.

Hacks and hackers

A hacker is anyone who breaks into a network, database or system they are not authorized to access. Their motivations vary widely. Some do it just for thrills. Others hack for monetary gain. Hacking occurs in many ways, from high tech to mundane. For example, a hacker may simply steal or guess at a password that gains them access to a network or data base. Or, they may use specially created software to exploit vulnerabilities in a system’s security protocols.

Hacktavists

Another type of hacker commits their crimes with an agenda. Hacktavists use traditional hacking methods to aggressively promote their cause or issue. They’re not hacking for money, information or thrills, but rather to draw attention to an issue or embarrass an organization. Back in 2011, hacktavists accounted for 58 percent of all data theft, WatchGuard Security Center reports. Today, most hacking occurs for profit.

Spies and spyware

Corporate espionage has been around about as long as corporations have, and corporate spies have embraced the digital age. Cyber spies may work on behalf of the government, a corporation or themselves. They infiltrate networks and databases to steal massive amounts of information. What they do with the stolen data varies, but some may sell information to identity thieves, others use it to undermine a corporation’s business, and still others leverage stolen data for political gains.

Phishers and scammers

The folks who perpetrate online scams or cast phishing emails into the great sea of the Internet usually have fairly easy-to-understand motivations: they’re out for money. They may steal money directly from consumers by tricking them into giving up financial account information that the scammers can then use to access and clean out the account. Or they may even convince victims to send them money directly. Others steal identifying information that they then use to open new credit accounts in the victim’s name. In December 2014, RSA estimated phishing attacks cost about $453 million globally.

While these are some common types of cybercrime, new forms emerge every year. Regardless of the type of crime, the results can be devastating for corporations and the consumers who do business with them. The continued growth of cybercrime means organizations must be vigilant about prevention, prepared to detect attacks quickly, and have a solid plan in place for dealing with the aftermath of a data breach or other form of cyberattack.

]]>http://www.experian.com/blogs/data-breach/2015/06/30/cyber-criminals-spies-and-activists-know-the-enemy/feed/0Data breach legislation continues to be on policymakers’ radarhttp://www.experian.com/blogs/data-breach/2015/06/24/data-breach-legislation-continues-to-be-on-policymakers-radar/ http://www.experian.com/blogs/data-breach/2015/06/24/data-breach-legislation-continues-to-be-on-policymakers-radar/#commentsWed, 24 Jun 2015 00:25:53 +0000http://www.experian.com/blogs/data-breach/?p=2830While there is momentum for data breach legislation, there continues to be hurdles to seeing any laws come to fruition. But there is certainly optimism. The most pressing issue today is whether a national data breach law will be passed. Most support this concept, however there is a lack of agreement on the details and […]

While there is momentum for data breach legislation, there continues to be hurdles to seeing any laws come to fruition. But there is certainly optimism.

The most pressing issue today is whether a national data breach law will be passed. Most support this concept, however there is a lack of agreement on the details and Congressional committees failed to get enough backing for several bills introduced to be signed into law.

With 49 different state-based data breach notification bills including Puerto Rico and District of Columbia, many lawmakers and industry groups think creating one federal standard should be Congress’s top 2015 cybersecurity priority. While unsuccessful so far, we’ll continue to see a push for this to pass. It certainly will be even more a priority in light of the recent Office of Personnel Management data breach, which exposed the files of four million federal workers.

However, industry groups are worried a federal standard could drive over-notification, where consumers are inundated with messages that their data has been exposed. Another concern is that a federal rule would be weaker than some of the state laws already in play.

While policymakers hash things out, companies are left trying to navigate the complex legal requirements. We always advise clients to seek outside legal counsel with an expertise in data breaches. Law firms that have both previous experience managing data breach litigation and that have established relationships with local regulators such as the state attorneys general are ideal.

Further, they should be able to provide insights about the latest developments in case law, which should inform the counsel involved across the board. A good legal partner should also have experience that goes beyond simply helping with formal legal notification. They should be able to serve as an overall breach coach with a strong understanding of what’s needed from the technical investigations, as well as the potential implications of legal decisions on trust and reputation.

To help companies keep abreast of what is happening on The Hill regarding data breach legislation, we released our annual white paper on the topic that can be downloaded here: http://bit.ly/2015LegislativeWhitePaper.

]]>http://www.experian.com/blogs/data-breach/2015/06/24/data-breach-legislation-continues-to-be-on-policymakers-radar/feed/0Recognize Internet Safety Month As a Reminder To Keep Data Securehttp://www.experian.com/blogs/data-breach/2015/06/02/recognize-internet-safety-month-as-a-reminder-to-keep-data-secure/ http://www.experian.com/blogs/data-breach/2015/06/02/recognize-internet-safety-month-as-a-reminder-to-keep-data-secure/#commentsTue, 02 Jun 2015 16:37:50 +0000http://www.experian.com/blogs/data-breach/?p=2823Airtight firewalls and current-to-the-minute defensive software aren’t enough to keep your organization safe from cyber attacks. Your IT team could be doing everything right, and your company may still be at risk from internal threats – because just one employee thinks that cybersecurity isn’t his or her job. Our Second Annual Data Breach Preparedness Study […]

Airtight firewalls and current-to-the-minute defensive software aren’t enough to keep your organization safe from cyber attacks. Your IT team could be doing everything right, and your company may still be at risk from internal threats – because just one employee thinks that cybersecurity isn’t his or her job.

Our Second Annual Data Breach Preparedness Study casts a stark light on the threat: 43 percent of the companies we surveyed do not have privacy and data protection awareness training for employees and others with access to sensitive information, and 66 percent either don’t have or don’t know if they have programs in place to train customer services personnel to deal with consumer inquiries regarding a data breach. Those statistics perhaps go a long way toward explaining another: 59 percent of security incidents in 2013 occurred because of employees and/or negligence, according to another Ponemon study.

Cybersecurity and data breach preparedness is everyone’s job, and National Internet Safety Month is the perfect time to foster a culture of vigilance among all your employees. Since it’s likely that nearly everyone in your organization uses the Internet in some capacity, and they’re also more likely to be aware of personal cyber risks, internet security is a great starting point for your dialogue with employees.

This month, consider providing training programs on these vital topics:

BYOD (Bring Your Own Device) – It’s not uncommon for employees to use personal devices such as smartphones and tablets to do work activities such as send emails and access data on company servers. Your organization should have a clearly defined BYOD policy and all employees should be aware of expectations and limitations regarding their use of personal devices for work.

Controlling personal Internet use at work – During their lunch hours and coffee breaks, employees may shop online and check their personal email. They may be doing those personal actions during down times at work, but are they using your systems to do so? Personal Internet activity at work doesn’t just threaten productivity, it may put your systems at risk, too. Email attachments, suspicious links and bogus websites can expose your systems and data to viruses or malware.

Route all software downloads through the IT team – As part of your cybersecurity policies, make sure employees understand that only your IT team is authorized to download software. If an employee wishes to download business-related software to his or her work PC, they should have IT review the software first and then handle the download. This helps ensure your IT team is aware of every piece of software in your system.

Email security – Email has become a primary mode of communication in many offices, and it’s not unusual for key employees to handle hundreds of emails each day. Establish policies for what type of information can be shared via email – to help protect your business’ sensitive data.

Preach password protection – The Anthem mega data breach that occurred late last year and was disclosed earlier in 2015 has been linked to compromised employee credentials. It’s vital that employees protect their logon IDs and passwords, craft strong passwords and change passwords regularly to ensure that regularly updated current information is secure.

While June is a great time to focus on cybersecurity, the dialogue between employer and employee should continue year-round. Data breaches pose significant risks to companies and their business viability; ensuring your organization is as well protected as possible is a task for everyone who’s part of it.

Do your cyber security measures address the possibility of a data breach occurring through the wireless-enabled refrigerator in the break room of your corporate headquarters? Have you made provisions if a hacker accesses sensitive data through wearable technology? Will your data breach response plan provide adequate guidance if a breach occurs through the Internet of Things?

Connectivity – and risk – is no longer limited to desktop PCs, laptops or smartphones. More devices than ever are now interconnected, from smart electric meters that communicate a home’s energy consumption directly back to the electricity provider, to wearable health monitors that let your friends know where you are and how far you jogged to get there. Every device that’s connected to the Internet exposes a potential vulnerability that enterprising cyber criminals can exploit.

In our 2015 Data Breach Industry Forecast, Experian Data Breach Resolution identified the Internet of Things as a significant point of concern for companies in 2015. In January, the Federal Trade Commission released a report that underscored the importance of addressing this still-emerging risk. The FTC reported that by 2020, an estimated 50 billion devices will be interconnected through the Internet of Things.

As more devices with Wi-Fi capability enter the marketplace, the points of entry for cyber criminals expand apace. While there are many benefits for companies and individuals to adopt more interconnected products, this increased connectivity will also lead to escalated risk of outside parties being able to access confidential data. It’s vital that companies take steps to manage these risks.

The FTC’s report outlined several points well worth keeping in mind as you update your data breach response plan to address the risks associated with the Internet of Things.

Just as different connected devices have different functions – cameras that take a picture, then upload it at the click of a button versus a home security system that communicates directly with the security monitoring vendor – they’ll have different security vulnerabilities. Security measures will need to address the type of device, the type of data it has access to, and the value of that data.

Employees should be trained in IoT risks and security measures.

Manufacturers of connected products should practice data minimization, and collect and use the bare minimum needed to make the product function as intended.

Companies should inform consumers of possible risks associated with connected devices, and provide them with guidance in using products in a secure manner.

IoT risks potentially threaten not only a company’s networks and systems, but consumer privacy as well. IoT threats could increase a company’s risk of running afoul of privacy and data breach laws.

The Internet of Things offers vast potential benefits for consumers and companies alike. Just as you update your cyber security policies and data breach response to address other emerging threats, it’s important to consider potential IoT risks and make provisions to minimize the threats.

]]>http://www.experian.com/blogs/data-breach/2015/05/19/could-wireless-enabled-devices-pose-a-data-breach-risk/feed/0Cybercriminals Cashing in as Companies Struggle to Secure Payment Systemshttp://www.experian.com/blogs/data-breach/2015/05/05/cybercriminals-cashing-in-as-companies-struggle-to-secure-payment-systems/ http://www.experian.com/blogs/data-breach/2015/05/05/cybercriminals-cashing-in-as-companies-struggle-to-secure-payment-systems/#commentsTue, 05 May 2015 21:36:59 +0000http://www.experian.com/blogs/data-breach/?p=2800Experian Data Breach Resolution and Ponemon Institute release the first industry study that closely examines payment technologies and how companies are managing the growing threat of data breaches. The study, Data Security in the Evolving Payments Ecosystem, asked professionals to weigh in on several topics including who should be responsible for securing payment systems and […]

]]>Experian Data Breach Resolution and Ponemon Institute release the first industry study that closely examines payment technologies and how companies are managing the growing threat of data breaches.

The study, Data Security in the Evolving Payments Ecosystem, asked professionals to weigh in on several topics including who should be responsible for securing payment systems and how effective their organizations is in preparing for and responding to a payment card breach.

]]>http://www.experian.com/blogs/data-breach/2015/05/05/cybercriminals-cashing-in-as-companies-struggle-to-secure-payment-systems/feed/0Ponemon Study Looks at the Security of the Payment Card Ecosystemhttp://www.experian.com/blogs/data-breach/2015/04/29/ponemon-study-looks-at-the-security-of-the-payment-card-ecosystem/ http://www.experian.com/blogs/data-breach/2015/04/29/ponemon-study-looks-at-the-security-of-the-payment-card-ecosystem/#commentsWed, 29 Apr 2015 07:00:15 +0000http://www.experian.com/blogs/data-breach/?p=2793 Payments fraud and data breaches are top security challenges for corporations across every industry, but how do the threats relate to each other? Do the newest payments technologies increase the risk of a data breach? We considered those and other pressing questions in our new study, “Data Security in the Payments Ecosystem,” conducted by […]

Payments fraud and data breaches are top security challenges for corporations across every industry, but how do the threats relate to each other? Do the newest payments technologies increase the risk of a data breach?

We considered those and other pressing questions in our new study, “Data Security in the Payments Ecosystem,” conducted by the Ponemon Institute.

Recent mega breaches and third-party research illustrate the need to consider the inter-relatedness of payments security and data security. In 2012, 85 percent of all non-cash payments were card and ACH payments, constituting 67 percent of the total value of non-cash payments that year, according to the 2013 Federal Reserve Payments Study. And in 2013, 60 percent of organizations surveyed by the Association for Financial Professionals reported they’d been exposed to actual or attempted payments fraud.

In light of those statistics, our payments study aimed to explore if the security of personal data is tracking with the rapid evolution of new payment methods and advances in existing payments technologies. Our findings were mixed. While survey respondents exhibited a high level of understanding of data breach risks, it’s clear from their responses that more needs to be done to secure data in the payments ecosystem.

Participating organizations included retailers, financial institutions, payment processors, credit card brands, regulators, consumers and other stakeholders involved in payments. On average, these organizations experienced three data breaches in the past two years, involving an average of 8,000 customer records. Checks, credit or debit cards, e-payments, mobile payments, e-Wallet and virtual currency were among the payments methods employed by these organizations.

They don’t view themselves as primarily responsible for ensuring the security of payments; 45 percent said that onus falls on banking institutions, and 40 percent on credit card companies.

On a positive note, 50 percent said the banking institutions they hold responsible for security are also the most innovative in developing new payment systems solutions.

When considering how payments security relates to data breaches, companies were largely aware of the potential inter-relatedness of the issues. The majority felt that payments innovations such as virtual currencies, mobile payments, near field communications and e-Wallets were the innovations most likely to increase the risk of a data breach. And many organizations face a challenge trying to balance easy, convenient implementation of new payment methods with security. While 66 percent agreed that authentication risks present challenges to implementation of new payment methods, 68 percent said the pressure to migrate to those systems worsened security risks.

Following a data breach, 61 percent of companies said their data breach response was less than effective, and only 29 percent offered affected consumers credit report monitoring. Yet 57 percent said that offering protective services to breached customers was worth the cost, and 61 percent said providing consumers with identity theft protection post-breach is a best practice.

Clearly, companies are aware of the potential link between payments fraud and data breaches, but are also cognizant of the fact that more needs to be done to secure their organizations and their customers. The Data Security in the Payments Ecosystem is available for free download from Experian Data Breach Resolution.

]]>http://www.experian.com/blogs/data-breach/2015/04/29/ponemon-study-looks-at-the-security-of-the-payment-card-ecosystem/feed/0Damage Beyond Cost: How Data Breaches Undermine Consumer Confidencehttp://www.experian.com/blogs/data-breach/2015/04/21/damage-beyond-cost-how-data-breaches-undermine-consumer-confidence/ http://www.experian.com/blogs/data-breach/2015/04/21/damage-beyond-cost-how-data-breaches-undermine-consumer-confidence/#commentsTue, 21 Apr 2015 23:26:41 +0000http://www.experian.com/blogs/data-breach/?p=2789When a data breach occurs, the monetary costs can be horrific for the affected company. The Target cyberattack cost the retailer more than $17 million, the Washington Post reported. The breach of health insurance company Anthem earlier this year is already running cost estimates in excess of $100 million. Yet even when the monetary costs […]

When a data breach occurs, the monetary costs can be horrific for the affected company. The Target cyberattack cost the retailer more than $17 million, the Washington Post reported. The breach of health insurance company Anthem earlier this year is already running cost estimates in excess of $100 million. Yet even when the monetary costs are incredibly high, they’re not the most damaging effects of a data breach. The loss of consumer confidence can be even more devastating.

Being caught up in a data breach undermines consumers’ confidence in their future financial well-being, as well as their opinion of the breached company, Experian research shows. Following a data breach, 45 percent of affected consumers said they were extremely worried about becoming victims of identity theft, and 48 percent said their identities would remain at risk for years or even forever, according to the report “The Aftermath of a Mega Data Breach: Consumer Sentiment by the Ponemon Institute.

A survey of retail customers by Retail Perceptions found that after a data breach, 12 percent of retail customers said they would stop shopping at the affected retailer. Additionally, 79 percent of those who would continue the relationship would never again use credit or debit cards to make purchases there, and 26 would spend less with the retailer. In a survey of nearly 2,000 American consumers, software buying consultancy Software Advice found that nearly 50 percent said that if their personal information were compromised in a data breach, there is nothing a breached company could do to win back their confidence.

As daunting as this information may seem, there is good news. Perhaps unsurprisingly, companies that respond well to a data breach fare better in terms of consumer sentiment than those who fumble their response.

Among the Retail Perceptions survey respondents, 22 percent said that as long as the retailer resolved the security issue that caused the breach, they would be comfortable returning there to shop. More than half (52 percent) also said they would be willing to enroll in a loyalty program if the security issues had been resolved. A third of those surveyed by Software Advice said that if a company increased its cyber security spending, their confidence in the company would also improve. And 45 percent of those surveyed by Ponemon said they continued to do business with the breached company because they felt it had resolved the data breach to their satisfaction.

So how should companies respond to a data breach? Our Ponemon research indicates that the key points for consumers are those which a company really needs to start working on before a breach ever occurs. Consumers stressed the need for clear communication and a well-managed response. Sixty-three percent wanted free identity theft protection, 67 percent wanted clear communications that didn’t “sugar coat” information, and 56 percent wanted full disclosure of all the facts.

When a breach happens, even the most efficient, agile organization will be hard-pressed to meet those expectations unless they have prepared in advance. The first step toward retaining or regaining consumer confidence in the wake of a data breach needs to occur before a cyberattack does. A well-formulated, comprehensive and effective data breach response plan can be the difference between devastating reputational costs and a successful rebuilding of consumer trust.

]]>http://www.experian.com/blogs/data-breach/2015/04/21/damage-beyond-cost-how-data-breaches-undermine-consumer-confidence/feed/0Don’t Fall for Phishing Scamshttp://www.experian.com/blogs/data-breach/2015/04/07/dont-fall-for-phishing-scams/ http://www.experian.com/blogs/data-breach/2015/04/07/dont-fall-for-phishing-scams/#commentsTue, 07 Apr 2015 16:10:20 +0000http://www.experian.com/blogs/data-breach/?p=2781Picture this all-too-plausible scenario: a small business owner receives an authentic-looking email from a payee with whom his company regularly does business. The email states that due to lost records, the company will stop issuing payments to the small business unless someone verifies account information by clicking an enclosed link and completing an online form. […]

Picture this all-too-plausible scenario: a small business owner receives an authentic-looking email from a payee with whom his company regularly does business. The email states that due to lost records, the company will stop issuing payments to the small business unless someone verifies account information by clicking an enclosed link and completing an online form. Knowing the company has a significant accounts receivable balance, and that his small business needs those payments to stay in the black, the SBO clicks the link and fills out the form.

He’s just been phished and the impact of getting hooked by this type of cyber scam can be devastating. Not only has the SBO compromised his own financial and business data, he may well have put at risk the data of all his customers and other vendors with whom he does business. Phishing can open the door to a data breach, so it’s vital to be aware of the common ways cyber crooks try to dupe consumers and businesses.

In 2013, more than 448,000 phishing attacks netted scammers an estimated $5.9 billion. All forms of identity theft, including phishing, affected 13.1 million victims in 2013 and caused about $18 billion in losses. What’s more, the number of people who fall victim to identity theft following a data breach is increasing; in 2010, just one in nine data breach victims had their identities stolen, and in 2013 it was one in three.

Common ways in which phishing occurs include:

A phone call from someone claiming to be with a credit card company trying to verify a purchase.

A claim – either by phone or email – that lost records have made it necessary for you to provide information to continue service, receive payment, etc.

A threat to close or suspend a financial account unless you verify information.

Phishers use a variety of vehicles to cast their nets, including email, snail mail, telephone, text message and interception of information from a legitimate website. They’re looking for valuable data such as real names and/or user names, passwords and PINs, street addresses, Social Security numbers, and credit card, financial account or verification numbers.

Once they have your data, phishers and other cyber criminals can use it to steal consumer and business identities, open fraudulent lines of credit … even walk their way into a data breach of major proportions. Businesses need to be as vigilant about phishing as consumers do. Learn to recognize the signs of a phishing scam and train employees on how to respond if they suspect an email, phone call, text message or other type of contact is really a phishing scam.